tor-instance-create vs. /etc/tor/torrc
Hi, I use tor-instance-create to spawn a number of relay instances. However, there seems to be one extra instance running - the default one that reads /etc/tor/torrc (and not /etc/tor/instances/INSTANCE/torrc). How do I disable that default tor relay? It opens port 9050 and does who else knows what by default. I can delete /etc/tor/torrc and it seems to do the trick, however, I am not sure how permanent this change will be with automatic package updates. Thanks!
Hello. The ultra-paranoid would comment that it is better to have dedicated machines / VM's for each instance, and that machine should do nothing more than be a relay. However sometimes that isn't an option so instead there is tor-instance-create. It sounds like your problems are in a file at /usr/share/tor/tor-service-defaults-torrc. Even if in your /etc/tor/torrc file you dont enable the SOCKSport, control port etc, they will be enabled because of this service defaults file. I believe there will also be copies of this service-defaults in /use/share/tor for instances to use. In the default configuration, tor-instance-create will end up with two relays trying to use SOCKSport 9050, enable control port at 9051 with cookie and a few other things (yet more race conditions) AND no logs so you have no idea what is happening. Firstly, delete what you dont want from /usr/share/tor/tor-service-defaults-torrc file and its copies. Try to use /etc/tor/torr and /etc/tor/instances/instance_name/torrc for all options and it will be easier to manage. Secondly, enable logs for all relays. You will have to change the default file from /var/log/tor/notices.log to notices_instance1.log or something for each instance. This will stop race conditions for the logs, you will have to follow the same logic for everything else (eg race to use port 9050) Lastly, if you want to stop the "first/main" instance from running I use sudo service tor stop, but this will change depending on your machine / OS. BTW if you delete /etc/tor/torrc apt-get will ask you displaying a screen that says "the package maintainer has shipped a new configuration file what you do want to do" with about 4/5 options. It will only (re-)install /etc/tor/torrc if you tell it to (the default option is no I think). I hope that helps. Thanks. On 21 March 2018 at 05:43, Igor Mitrofanov <igor.n.mitrofanov@gmail.com> wrote:
Hi,
I use tor-instance-create to spawn a number of relay instances. However, there seems to be one extra instance running - the default one that reads /etc/tor/torrc (and not /etc/tor/instances/INSTANCE/torrc).
How do I disable that default tor relay? It opens port 9050 and does who else knows what by default. I can delete /etc/tor/torrc and it seems to do the trick, however, I am not sure how permanent this change will be with automatic package updates.
Thanks! _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On 21.03.2018 13:46, Gary wrote:
Firstly, delete what you dont want from /usr/share/tor/tor-service-defaults-torrc file and its copies.
Please don't. As general advice, really avoid messing with configuration files that ship with the distribution. Editing files in /usr/share is *never* a good option. Nusenu's suggestion to "mask" the default systemd service is much better.
Secondly, enable logs for all relays. You will have to change the default file from /var/log/tor/notices.log to notices_instance1.log or something for each instance. This will stop race conditions for the logs, you will have to follow the same logic for everything else (eg race to use port 9050)
On systemd-based machines, journalctl takes care of logging. You do not need to have any additional logging enabled in Tor (unless you really want to). By default, journalctl logs are not persistent across sessions. Also here, in most cases you will want to do it "the systemd way" and change your logging policies globally, instead of on a custom per-service level.
BTW if you delete /etc/tor/torrc apt-get will ask you displaying a screen that says "the package maintainer has shipped a new configuration file what you do want to do" with about 4/5 options. It will only (re-)install /etc/tor/torrc if you tell it to (the default option is no I think).
I recommend that people use an update manager like unattended-upgrades and let it auto-upgrade everything, and even let it auto-reboot if necessary. Add some external monitoring (a cheap option are free services like uptimerobot.com), and you will learn if something goes wrong. It is better to have a Tor relay that is up to date and have it break sometimes (I have not seen this happening ever) than to have outdated packages/kernels. See https://torservers.net/wiki/setup/server for some references. -- Moritz Bartl https://www.torservers.net/
Igor Mitrofanov:
Hi,
I use tor-instance-create to spawn a number of relay instances. However, there seems to be one extra instance running - the default one that reads /etc/tor/torrc (and not /etc/tor/instances/INSTANCE/torrc).
How do I disable that default tor relay? It opens port 9050 and does who else knows what by default. I can delete /etc/tor/torrc and it seems to do the trick, however, I am not sure how permanent this change will be with automatic package updates.
to solve the same issue in ansible-relayor I mask the default instance. you would do something like: systemctl mask tor@default -- https://mastodon.social/@nusenu twitter: @nusenu_
participants (4)
-
Gary -
Igor Mitrofanov -
Moritz Bartl -
nusenu